/ Zope / Apsis / Pound Mailing List / Archive / 2007 / 2007-06 / question about https redirect

[ << ] [ >> ]

[ Complicated (?) session logic / "Germer, ... ] [ unexpected chunked EOF: Connection timed out / Ed ... ]

question about https redirect
cosmih <cosmih(at)gmail.com>		 2007-06-25 17:46:27 [ FULL ] 
hi,

i have readed the man page for pound and i have searched on the archive
mailing list about https redirect ... but i still have doubts about how can
do the following thing:

we are on a relocation (another datacenter, another IP) process of our https
web application and for the time period of propagation of DNS changes i want
to implement the following behavior:
--- the request from my clients to "https://secure.myhost.com" when their
nameserver still don't know the NEW IP of "secure.myhost.com"  to be take
over by pound on OLD IP and then redirected to NEW IP .... on the OLD (pound
daemon) and NEW IPs (apache daemon) is the same SSL CERTIFICATION

i must to mention that the web application from secure.myhost.com can be
accessed only over https ... and not over http

can i do that with pound ?

regards,
cosmih
Attachments:  
text.html text/html 1025 Bytes
Re: [Pound Mailing List] question about https redirect
Robert Segall <roseg(at)apsis.ch>		 2007-06-25 19:00:35 [ FULL ] 
On Mon, 2007-06-25 at 18:46 +0300, cosmih wrote:[...]

ListenHTTPS
	Address	OLD_ADDRESS
	Port	443
	Cert	"your_cert.pem"
	Service
		Redirect "https://NEW_ADDRESS"
	End
End

ListenHTTPS
	Address	NEW_ADDRESS
	Port	443
	Cert	"your_cert.pem"
	Service
		...
	End
End[...]
Re: [Pound Mailing List] question about https redirect
cosmih <cosmih(at)gmail.com>		 2007-06-26 17:41:35 [ FULL ] 
hi,

sorry for this late reply !!!

you example it is not working .... and i have tried with two different
pound.cfg

here is what it tried to do and not work:

1)  on OLD IP (172.16.20.231, it is a different machine)  i started pound
daemon .... on this machine i started a local dns server and this machine it
look to this local dns server for myhost.com domain

  OLD_IP_MACHINE~ # dig secure.myhost.com
  ;; ANSWER SECTION:
  secure.myhost.com.    86400   IN      A       172.16.20.232

2) on NEW IP (172.16.20.232, it is a different machine) i started apache
with the web application ...

  NEW_IP_MACHINE~ # dig secure.myhost.com
  ;; ANSWER SECTION:
  secure.myhost.com.    86400   IN      A       172.16.20.232

3) on my workstation (172.16.20.x, it is a different machine) i wrote on
/etc/hosts that secure.myhost.com it is the 172.16.20.231 (OLD IP) ip

workstation ~ # ping -c 1 secure.myhost.com
PING secure.myhost.com ((172.16.20.231) 56(84) bytes of data.
64 bytes from secure.myhost.com ((172.16.20.231): icmp_seq=1 ttl=64 time=
1.01 ms

4) an now from firefox/seaemonky browser i have tried to access the
following link
https://secure.myhost.com/somedir/somefile.html?ART1=val1&ART2=val2&ART3=val3

and for pound.cfg1 i am redirected to "
https://172.16.20.232/somedir/somefile.html?ART1=val1&ART2=val2&ART3=val3"
and of course it is not working ...
for pound.cfg2 i have the following errors:
--------------
The page isn't redirecting properly
Firefox has detected that the server is redirecting the request for this
address in a way that will never complete.
-------------------

from pound daemon i don't have any error log


this is my the two pound.cfg for preprod testing !!!!

pound.cfg1
--------------------------
User            "nobody"
Group           "nobody"
LogLevel         3
Alive               10
TimeOut         300
Daemon          1
DynScale        0
ListenHTTPS
        Address 172.16.20.231 # OLD IP
        Port 443
        xHTTP 0
        Cert "/etc/apache2/ssl/secure.myhost.com.pem"
        Ciphers "HIGH:MEDIUM:EXP:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM:+EXP"
        Service "secure"
                Redirect "https://172.16.20.232" # NEW IP
        End
End
-----------------------

pound.cfg2
-----------------------
User            "nobody"
Group           "nobody"
LogLevel         3
Alive               10
TimeOut         300
Daemon          1
DynScale        0
ListenHTTPS
        Address 172.16.20.231 # OLD IP
        Port 443
        xHTTP 0
        Cert "/etc/apache2/ssl/secure.myhost.com.pem"
        Ciphers "HIGH:MEDIUM:EXP:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM:+EXP"
        Service "secure"
                Redirect "https://secure.myhost.com" # NEW IP
        End
End
-----------------------


On 6/25/07, Robert Segall <roseg(at)apsis.ch> wrote:[...]
Attachments:  
text.html text/html 8727 Bytes
Re: [Pound Mailing List] question about https redirect
Robert Segall <roseg(at)apsis.ch>		 2007-06-27 18:35:01 [ FULL ] 
On Tue, 2007-06-26 at 18:41 +0300, cosmih wrote:[...]

Why not? Is anything listening on .232?[...]
Re: [Pound Mailing List] question about https redirect
cosmih <cosmih(at)gmail.com>		 2007-06-28 08:50:58 [ FULL ] 
>[...]

why not what ?

why not "
https://172.16.20.232/somedir/somefile.html?ART1=val1&ART2=val2&ART3=val3"
it is not working ?

on 172.16.20.232 machine is  apache daemon running  and it listening on this
IP  only on 443 port

why it is not working ? because on this apache it is an vhost configured and
only for secure.myhost.com apache repond to the querys

moreover the SSL Certificate from verisign is only for
secure.myhost.comhost and if i make apache  respond to the querys who
contain the IP in url
the browser it warn about the difference between the CN attribute from
certificare and the host from url

and i want to do that redirect to be unobserved by the client browser


regards,
mihai
<https://172.16.20.232/somedir/somefile.html?ART1=val1&ART2=val2&ART3=val3>
Attachments:  
text.html text/html 1593 Bytes
MailBoxer